An open letter, provided by Dr. Hemal Nayak
Dr. Hemal Nayak, board certified electrophysiologist for over 15 years and assistant professor of medicine at the University of Chicago Medicine, provides news detailing the discovery of significant vulnerabilities in cardiac implantable electronic devices (CIEDs).Dear Patients and Colleagues,
As a cardiac electrophysiologist, I specialize in treating patients with heart rhythm disorders particularly those that require treatment with cardiac implantable electronic devices (CIEDs) such as pacemakers and defibrillators.
I am currently an assistant professor of medicine at the University of Chicago Medicine and a board certified electrophysiologist in practice for over 15 years.
I decided to partner with MedSec because their research complements my research and interest in device function and device vulnerabilities. I serve as a consultant to MedSec and I am the principle Medical Officer in charge of medical studies as well as a board member.
Like many of the colleagues who recommend and implant CIEDs, I assumed that these devices are cybersecure. Sadly, from the research that MedSec has done, that is not uniformly the case. While I am not an expert in cybersecurity, I have witnessed, first-hand, the experiments MedSec has conducted and I have reviewed their findings.
Today, a financial partner issued a statement to the FDA based on research conducted by MedSec highlighting the cybersecurity vulnerabilities of the CIEDs manufactured by St. Jude Medical. Of note, the FDA encourages all stakeholders in medical device therapy to identify, report and collaborate to reduce cybersecurity risk.
In the past, popular media have sporadically reported on CIED vulnerabilities and fictional television shows have sensationalized the threat. To date, this investigation by MedSec is the largest independent investigation into the cybersecurity of the CIEDs and the first to provide meaningful results.
MedSec has exposed many ways that St. Jude Medical did not adequately protect its proprietary CIED communication scheme. This potentially enables unauthorized individuals to tamper with and affect CIED function. This research utilized St. Jude Medical's Merlin home monitoring as well as the unit's RF (radiofrequency) wireless communication system. As a physician who cares for patients with CIEDs, observing these experiments and realizing that devices could be manipulated outside of usual means was quite disturbing and upsetting.
While I am hopeful that the FDA will give patients and physicians guidance on what to do in light of this research, I am writing this statement to give my opinion and provide a medical perspective on what the findings mean for patients with these devices and for physicians who care for these patients.
In my mind, this CIED cybersecurity issue is first and foremost, a patient safety issue. Based on what I have seen and the results from the experiments conducted, I feel compelled to bring this issue up to the electrophysiology community at large especially since this is the first time an issue like this has come up. Additionally, I believe that patients with these CIEDs have the right to know.
First, I would like to stress that patients with implanted CIEDs manufactured by St. Jude Medical should not worry about the immediate function or performance of their devices. MedSec has not released detailed information about the vulnerabilities publically and will not do so and the details remain confidential. That being said, there may be individuals actively trying to "hack" into CIED networks.
Until the cybersecurity issues with the Merlin home monitoring network are remedied, I have recommended to my patients that they discontinue home monitoring. Unplugging the Merlin unit from the electrical outlet will effectively turn off that function. Patients can have their CIEDs checked or interrogated in person at the office or device clinic as necessary.
Unfortunately, discontinuing home monitoring does not remove all of the vulnerabilities. Because some of the threats involve the RF or wireless communication scheme (which cannot be reduced by discontinuing home monitoring) MedSec has identified temporary solutions while the larger issues are being addressed. MedSec believes that this information will be shared with St. Jude Medical. I would encourage patients to accept any corrective patches or software from the FDA or St. Jude Medical that may reduce these risks.
For patients who don't currently have CIEDs but are considering device therapy, I advise them to discuss this cybersecurity issue involving St. Jude Medical with their physician. Device therapy saves lives and a patient should not refuse recommended device therapy based on this issue alone.
MedSec has performed security assessments of CIEDs manufactured by other companies and while not perfect, has not found serious vulnerabilities. As an electrophysiologist, I have stopped implanting CIEDs manufactured by St. Jude Medical but continue to use other companies.
For most of us, the topic of CIED cybersecurity is something "out of left field". As such, it is scary and unsettling. MedSec is working diligently and is confident that solutions to these vulnerabilities will be found and risks to patients mitigated.
Hemal Nyak, MD, FACC, FHRS
Participation with MedSec is made by Dr. Nayak in his personal capacity. Any statements made and opinions expressed with regard to MedSec research are the Dr. Nayak's own and do not relate to nor reflect the views of the University of Chicago or the University of Chicago Medicine.